Hello,
I am rather new to using Kibana, so please don't mind if I misuse terminology.
In the end my issue is about presenting AWS Security Hub data, the findings end up in Elasticsearch / Kibana where we want to process and visualize the events further.
To really dumb down the generated log entries, consider this:
{
"Id":"uniqueId",
"FirstSeen":"timestamp",
"LastSeen":"timestamp",
"Label":"some string"
}
If I want to count how many events of each Label were found this month, I'd need to filter for LastSeen newer than beginning of month and because one Finding is logged every 12 hours, I need to count for unique Ids as well. That I can do.
Now I want to have a representation for count of two months and calculate the change as percentage. Say, have a table "Label", "previous month", "current month", "percentage of difference".
I am totally lost here.
Counting log entries that existed in previous month would have to be done by searching in the time range of last month, or by looking at the FirstSeen field. That always stays the same as long Id is still an issue, so if I see FirstSeen of previous year in current event, I know it was an issue last month as well.
Is this possible at all?
I already added a yearmonth_id field in form of "YYYY-MM-Id" cause I thought I could work with that to have a distinct Id for each month, but yeah, I still can't figure out if that would be useful.
Regards,
Kai.